Brazilian docs fool biometric scanners with bag full of fake fingers

Some fingerprint scanners aren't very discerning.

The BBC is one of several outlets carrying the bizarre story of a Brazilian doctor arrested for allegedly defrauding her employer, a hospital in the town of Ferraz de Vasconcelos, near São Paulo. At the time of her arrest, she was equipped with a total of sixteen fingers—ten of which God gave her, and six of which were crafted of silicone and given to her by coworkers. At least three of the extra fingers bore the prints of fellow doctors at the hospital.

The doctor, Thaune Nunes Ferreira, 29, claims through her attorney that she was forced to use the silicone fingers to clock in to the hospital's time card system in order to cover for absentee colleagues. "She says she was innocent because it is a condition they imposed on her to keep her job," the attorney notes.

According to the Bangkok Post and several other sources, Brazil's Globo TV International network obtained and played footage of Ferreira clocking in to the hospital with her own permanently attached digits, then touching the same fingerprint scanner with two of the silicone fakes. The scanner produced paper time card receipts for her and the two employees to whom the silicone fingers' prints belonged. In this way, notes the Post, "it looked like there were three doctors on duty when there was just one."

Five doctors at the hospital have been suspended so far for allegedly taking part in the scam, which let them pocket pay while not showing up for work. However, this is endemic of a much larger "ghost employee" problem in Ferraz de Vasconcelos. The mayor speculated that there are at least 300 more public employees in the town spread across health, education, and security who are engaged in similar time card fraud. The members of this "army of ghosts," as the mayor calls it, are all receiving pay without showing up for work.

It is not stated whether the army of ghosts employs an army of silicone fingers to clock in for them, but that would definitely be creepy.

Lee Hutchinson
Lee is the Senior Technology Editor at Ars and oversees gadget, automotive, IT, and culture content. He also knows stuff about enterprise storage, security, and manned space flight. Lee is based in Houston, TX. Emaillee.hutchinson@arstechnica.com//Twitter@Lee_Ars

You could get the silicon fingers made basically anywhere here. Most places will not ask you questions unless there is a law demanding them to. As far as I know, we do not have laws that determine what kind of objects, pieces of things or anything that can be made out of silicon. So you just take the model there and get them to craft it for you. However, I believe fingerprints might be more difficult to do because of the fine details in them, so they may have done it somewhere with a higher level of proficiency. Police are likely going to look for that in the area, but I'm not sure.

You can trick biometrics readers rather easily, indeed. Moreover, she and her colleagues work (I wish I could say "worked" here, but.. This is Brazil afterall) for a public hospital. Those are obliged by law to buy everything from public auctioning, and picking the lowest offer which fulfills the specs (which are often very poorly-written, thus "anything fits it"). The end result is that these hospitals get the cheapest, easiest-to-trick equipment, so there is no hope in them switching to smarter machines that could spot it.

Lastly, I've been reading about this way more from news outlets from outside Brazil than I did from local ones. I guess it goes to show how much effort into preventing it there is around here..

I did a bit of googling, and it seems they can check for more than just the presence of a pulse:

Quote:

It captures data from the cutaneous and subcutaneous tissue of the finger using several features of the electromagnetic field. Aside from this data and through infrared light, absorption levels of the hemoglobin in the blood are measured

You could get the silicon fingers made basically anywhere here. Most places will not ask you questions unless there is a law demanding them to. As far as I know, we do not have laws that determine what kind of objects, pieces of things or anything that can be made out of silicon.

Things I didn't know before today: Brazil is like the Wild Wild West of Silicone.

Security always comes back to the human system of trust. So, the question isn't "why is there a bag of fake fingers?" It could have been ID swipe-cards or just PINs for a door. Shift labor in past decades could easily stamp each-others' time-cards in the little clock gadget.

The interesting question is: what are the economic and social contexts of this ghost-worker problem? Why would a worker cover for several colleagues so regularly that this is necessary? Was this doctor being paid by colleagues or what? Were prescription and health records of patients also signed fraudulently? If so, why is no one in jail. If not, why was this not noticed, and why were the other doctors being paid at all?

This is a compensation and management problem, not a biometrics problem.

Fingerprint scanners are just another tool that provides folks with a false sense of security. They are practically useless and can be defeated in any number of ways. The only practical use I have seen is for restaurant POS systems. And even then, they are clocking in and out all the time for each other.

The City of New York also has a finger print scanner system for clocking in and out called CityTime. However, the union contract for the city exempts union employees from having to use CityTime. The rest of the city workforce are made up of non-hourly wage managers who were also exempt.

The only people who had to use it were the various consultants who had never seen a time clock in their life. Even worse, there was a mandatory 30 break we had to take between the hours of 11:30am and 2pm. Most of the consultants would quit after a couple of months and find another position -- one without a time clock.

The interesting question is: what are the economic and social contexts of this ghost-worker problem? Why would a worker cover for several colleagues so regularly that this is necessary?

Well, according to the last report, Brazil loses 4 billion dollars each year due to stealing from the government. Ghost-workers are just one more of the ways (like fraudulent public auctions, overpaid purchases, public constructions that never end - World Cup and Olympic Games have been a party over here).

ads2 wrote:

Was this doctor being paid by colleagues or what? Were prescription and health records of patients also signed fraudulently?

Probably yes for both question. You can probably add selling prescriptive drugs that were supposed to be given to the patients on the list of crimes.

ads2 wrote:

If so, why is no one in jail. If not, why was this not noticed, and why were the other doctors being paid at all?

Are these retoric questions? The Hospital executive manager was involved (his nephew never worked in there during the last 3 years and got paid). It was also happening in a small country town, so less visible to auditing eyes. And eventually someone noticed, that's why this is being reported.

But if you do some research about Brazil you will find out that impunity is the norm there. Just as an example, an ex-Governor from São Paulo state is being prosecuted in Great Britain for stealling money from the state and hiding it at some fiscal heaven belonging to the UK, but he is not going to jail in Brazil. Actually, last election he got elected as Federal Congressman.

ads2 wrote:

This is a compensation and management problem, not a biometrics problem.

No, this is an intrinsic problem to the Brazilian culture: corruption at the utmost level. From all points of view in the Brazilian society the culture is sort of taking advantage of everyone and everything to make money. And those who are not part of this wicked system have a really hard time.

I think Mythbusters did this already, didn't they? IIRC, there were even some scanners they were able to fool with a photocopy of a fingerprint that they had licked (to give it warmth and moisture).

I thought of this also. Kind of scary to think of the places that employ these scanners, given how easily beaten they are.

And the next level of security is presumably retinal scanners, and it's only a matter of time before they are beaten - if it's not already happened.

Would a photo do it? What about identical twins?

Or, if Hollywood is to believed, a pair of contacts...

Retinas are unique. No 2 persons in the planet have the same pattern. Not even twins. The problems with retina scanners is that they still are too expensive and eye disease can mess with identification.

I was trying to google an article I read a while ago. Maybe someone here has come across it?

Apparently very basic facial recognition scanners can be fooled by profile pictures. The more sophisticated ones that use heat were much harder to crack but also had issues on allowing the actual user to have consistent access due to minor variations.

You can trick biometrics readers rather easily, indeed. Moreover, she and her colleagues work (I wish I could say "worked" here, but.. This is Brazil afterall) for a public hospital.

Please don´t start the third world very dangerous, corrupt and poor country speech. Fortunately, that kind of event belongs to a small percentage of cities. Oh, and they worked there, as in don’t work anymore. The new challenge for the local mayor is to detect and identify other cheater around public service in his city. Please don’t let those kinds of people determine your view of the entire country.

You could get the silicon fingers made basically anywhere here. Most places will not ask you questions unless there is a law demanding them to. As far as I know, we do not have laws that determine what kind of objects, pieces of things or anything that can be made out of silicon.

Things I didn't know before today: Brazil is like the Wild Wild West of Silicone.

This is a relief! If at any time I'm kidnapped so some thugs can cut out my fingers and use them to access some location, I can propose they simply make silicon moulds of my fingers.

I think the better fingerprint scanners make sure your thumb is actually still attached to your body. Ideally they'll also eventually include some way of making sure you aren't being held there against your will.